As leading cybercrime gangs promise not to attack healthcare organizations during the COVID-19 pandemic, can we take them at their word?

The coronavirus pandemic continues to bring out the best in so many people as individuals, communities and businesses combine in the fight against COVID-19. It has also exposed the worse sides of some, from those clearing the supermarket shelves and preventing vulnerable people from getting the supplies they need, to profiteering companies. Then there are the cyber-criminals exploiting fear and the need for information to spread malware and defraud victims. But could the criminals be having a change of heart? The cybercrime groups behind two of the most prolific ransomware threats have issued statements that they will not attack healthcare and medical targets during the coronavirus crisis. The problem with this is twofold: can you take a criminal gang at their word, and can they prevent healthcare organizations from getting caught in the attack crossfire even if they wanted to?

The COVID-19 ransomware threat

Ransomware continues to be one of the most severe threats facing organizations of all kinds, especially as attack methods continue to evolve. Like any criminal enterprise, the gangs behind the operation of ransomware will exploit current concerns to infect victims. The coronavirus pandemic is, sadly, not exempt from this. We’ve already seen COVID-19 infection distribution maps laced with malware, and the U.S. Attorney, Scott Brady, has warned people to be wary of an “unprecedented” wave of coronavirus scams.

Ransomware cybercrime gangs promise to give healthcare a free pass

Lawrence Abrams, the creator of BleepingComputer, reached out to the cybercrime groups behind the operation of some of the most prolific and dangerous ransomware threats. Abrams asked a simple question: will you continue to target health and medical organizations during the COVID-19 pandemic? At the time of writing, two had replied and their answers might surprise many readers. The first to respond were the operators of the DoppelPaymer ransomware threat, who told Abrams that they “always try to avoid hospitals, nursing homes.” When attacking local government targets, they “do not touch 911,” although sometimes emergency communications are hit due to network misconfigurations.

Interestingly, the DoppelPaymer cybercrime group has said that if a medical or healthcare organization does get hit by mistake, then it will provide a free decrypter code. “If we do it by mistake, we’ll decrypt for free,” the threat actors said, although pharmaceutical companies are not included in this ransomware amnesty. “They earn a lot of extra on panic,” the criminals said, adding that they have “no wish to support them.”

DoppelPaymer is an example of what Microsoft refers to as human-operated ransomware, causing havoc with ransom demands that use exfiltrated data as leverage. This is where the promises not to target health organizations fall a little flat; the risk to third parties remains. Ask Lockheed Martin, SpaceX and Tesla who were victims of the kind of collateral damage that DoppelPaymer can cause. Although not infected by the ransomware themselves, sensitive documents belonging to them and exfiltrated from a parts supplier, which did fall victim, were published by the cyber-criminals.

Maze ransomware criminals confirm they will stop attacking medical organizations

The operators of the Maze ransomware threat also said they would stop attacking medical organizations until “the stabilization of the situation with the virus.” The Maze actors did not confirm whether a decrypter would be available if healthcare organizations are infected unintentionally. However, security vendor Emsisoft, in partnership with incident response outfit Coveware, emailed me to confirm that it will be offering a completely free of charge ransomware recovery service to critical care hospitals and other healthcare providers. This includes the development of a decryption tool where possible.

At the time of writing, there has been no such promise from the criminals behind the Ryuk threat. Ryuk was the ransomware that recently took down North Carolina city and county government systems, and led to the City of New Orleans declaring a state of emergency as 2019 came to an end.

Self-preservation and not altruism

“If this announcement from ransomware operators, also known as cybercriminals, is accurate, it is motivated by self-preservation and not altruism,” Ian Thornton-Trump, CISO at Cyjax, says. He bases this on the fact that the law-enforcement response to any such attack during a time of crisis like this would be “overwhelming.” And that’s before even considering the military and intelligence agency resources that could be thrown at criminals attacking critical healthcare targets during a pandemic. “The last thing cybercriminals want is an APT actor’s offensive capabilities deployed against them,” Thornton-Trump told me, “a particularly spectacular and effective ransomware attack may even elicit military action up to and including a special forces mission to take out the actors responsible for the cyber-attack.”

The criminals promise could be hard to implement in the real world where external facing IP addresses will not necessarily identify a target as being a healthcare organization, or part of the critical supply chain that supports one. “The delivery of health care from drugs, lab work to medical equipment such as N-95 masks or Brew Dog’s re-tooling to produce a product like a hand sanitizer,” Thornton-Trump explains, “involves a multitude of critical supply chain relationships: I fear that the criminals lack the knowledge of how multi-faceted health care delivery is and what organizations deliver the health care services.”

Thornton-Trump has some stark advice for those cyber-criminals: “shut down operations completely for the duration of the coronavirus pandemic, lest you draw the ire of an angry nation with significant cyber capabilities of their own.”

Jake Moore, a cybersecurity specialist at ESET, warns that considering these promises, “we mustn’t get complacent as there are thousands of threat actors, each with a different level of conscience and ethics.” Even if these groups that responded, he argues, can be trusted, “that doesn’t mean the health sector should take their eye off the ball for any moment. Don’t forget that WannaCry crippled the NHS without any thought of the impact on the country and cost to the industry.” And WannaCry wasn’t even targeting healthcare; the NHS was just collateral damage.

We’re Cloudscape.

We believe you should have the best backup solutions for your business.

We’ll get to know your business and determine the most appropriate solution to meet your technical requirements while being commercially sensible in cost and productive with time.

If you feel that your data isn’t being backed up correctly, please get in touch.

News Source: https://www.forbes.com/sites/daveywinder/2020/03/19/coronavirus-pandemic-self-preservation-not-altruism-behind-no-more-healthcare-cyber-attacks-during-covid-19-crisis-promise/#7346090f252b

Security experts say a spike in email scams linked to coronavirus is the worst they have seen in years. Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance.

Phishing emails written in English, French, Italian, Japanese, and Turkish languages have been found.

1. Click here for a cure

Researchers at the cyber-security firm Proofpoint first noticed a strange email being sent to customers in February. The message purported to be from a mysterious doctor claiming to have details about a vaccine being covered up by the Chinese and UK governments.

The firm says people who click on the attached document are taken to a spoof webpage designed to harvest login details. It says up to 200,000 of the emails are being sent at a time.

“We have seen 35-plus consecutive days of malicious coronavirus email campaigns, with many using fear to convince victims to click,” says Sherrod DeGrippo from the company’s threat research and detection team.

Proofpoint says three to four variations are launched each day.

“It’s obvious these campaigns are returning dividends for cyber-criminals,” says Ms DeGrippo.

The best way to see where a link will take you is to hover your mouse cursor over it to reveal the true web address. If it looks dodgy, don’t click.

2. Covid-19 tax refund

Researchers at cyber-security firm Mimecast flagged this scam a few weeks ago. On the morning they detected it, they saw more than 200 examples in just a few hours.

If a member of the public clicked on “access your funds now”, it would take them to a fake government webpage, encouraging them to input all their financial and tax information.

“Do not respond to any electronic communication in relation to monies via email,” says Carl Wearn, head of e-crime at Mimecast. “And certainly do not click on any links in any related message. This is not how HMRC would advise you of a potential tax refund.”

3. Little measure that saves

Hackers pretending to represent the World Health Organization (WHO) claim that an attached document details how recipients can prevent the disease’s spread.

“This little measure can save you,” they claim.

But Proofpoint says the attachment doesn’t contain any useful advice, and instead infects computers with malicious software called AgentTesla Keylogger.

This records every keystroke and sends it to the attackers, a tactic that allows them to monitor their victims’ every move online.

To avoid this scam, be wary of emails claiming to be from WHO, as they are probably fake. Instead visit its official website or social media channels for the latest advice.

4. The virus is now airborne

The subject line reads: Covid-19 – now airborne, increased community transmission.

It is designed to look like it’s from the Centres for Disease Control and Prevention (CDC). It uses one of the organisation’s legitimate email addresses, but has in fact been sent via a spoofing tool.

Cofense, the cyber-defence provider, first detected the scam and describes it as an example of hackers “weaponising fear and panic”.

It says the link directs victims to a fake Microsoft login page, where people are encouraged to enter their email and password. Then victims are redirected to the real CDC advice page, making it seem even more authentic. Of course, the hackers now have control of the email account.

Cofense says the combination of a “rather good forgery” and a “high stress situation” make for a potent trap.

One way to protect yourself is to enable two-factor authentication, so that you have to enter a code texted or otherwise provided to you, to access your email account.

5. Donate here to help the fight

This example was reported to malware experts Kaspersky. The fake CDC email asks for donations to develop a vaccine, and requests payments be made in the cryptocurrency Bitcoin.

The premise is of course ridiculous, but the email address and signature look convincing.

Overall, Kaspersky says it has detected more 513 different files with coronavirus in their title, which contain malware.

“We expect the numbers to grow, of course, as the real virus continues to spread,” says David Emm, principal security researcher at the firm.

We’re Cloudscape.

We believe you should have the best backup solutions for your business.

We’ll get to know your business and determine the most appropriate solution to meet your technical requirements while being commercially sensible in cost and productive with time.

If you feel that your data isn’t being backed up correctly, please get in touch.

News Source: https://www.bbc.co.uk/news/technology-51838468